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Abstract 

The recent emergence of heavily-optimized modal decision procedures has highlighted the key 
role of empirical testing in this domain. Unfortunately, the introduction of extensive empirical tests 
for modal logics is recent, and so far none of the proposed test generators is very satisfactory. To 
cope with this fact, we present a new random generation method that provides benefits over pre- 
vious methods for generating empirical tests. It fixes and much generahzes one of the best-known 
methods, the random CNFn^ test, allowing for generating a much wider variety of problems, cov- 
ering in principle the whole input space. Our new method produces much more suitable test sets for 
the current generation of modal decision procedures. We analyze the features of the new method 
by means of an extensive collection of empirical tests. 



1. Motivation and Goals 

Heavily-optimized systems for determining satisfiability of formulae in propositional modal log- 
ics are now available. These systems, including DLP (Patel-Schneider, 1998), FaCT (Horrocks, 
1998), *SAT (Giunchiglia, Giunchiglia, & Tacchella, 2002), MSPASS (Hustadt, Schmidt, & Wei- 
denbach, 1999), and RACER (Haarslev & MoUer, 2001), have more optimizations and are much 
faster than the previous generation of modal decision procedures, such as leanK (Beckert & Gore, 
1997), Logics Workbench (Heuerding, Jager, Schwendimann, & Seyfreid, 1995), DKE (Pitt & 
Cunningham, 1996) and KSAT (GiunchigUa & Sebastian!, 2000).^ 

As with most theorem proving problems, neither computational complexity nor asymptotic al- 
gorithmic complexity is very useful in determining the effectiveness of optimizations, so that their 
effectiveness has to be determined by empirical testing (Horrocks, Patel-Schneider, & Sebastiani, 
2000). Empirical testing directly gives resource consumption in terms of compute time and memory 
use; it factors in all the pieces of the system, not just the basic algorithm itself. Empirical testing 
can be used not only to compare different systems, but also to tune a system with parameters that 
can be used to modify its performance; moreover, it can be used to show what sort of inputs the 
system handles well, and what sort of inputs the system handles poorly. 

Unfortunately, the introduction of extensive empirical tests for modal logics is recent, and so 
far none of the proposed test methodologies are very satisfactory. Some methods contain many 

1. For a more complete list see Renate Schmidt's Web page listing theorem provers for modal logics at 
http://www.cs.man.ac.uk/~schmidt/tools/. 
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formulae that are too easy for current heavily-optimized procedures. Some contain high rates of 
trivial or insignificant tests. Some generate problems that are too artificial and/or are not a significant 
sample of the input space. Finally, some methods generate formulae that are too big to be parsed 
and/or handled. 

For the reasons described above, we presented (Horrocks et al, 2000) an analytical survey of 
the state-of-the art of empirical testing for modal decision procedures. Here instead we present a 
new random generation method that provides benefits over previous methods for generating empir- 
ical tests, built on some preliminary work (Horrocks et al, 2000). Our new method fixes and much 
generalizes the 3CNFn^ methodology for randomly generating clausal formulae in modal logics 
(GiunchigUa & Sebastiani, 1996; Hustadt & Schmidt, 1999; GiunchigUa, Giunchiglia, Sebastiani, 
& Tacchella, 2000) used in many previous empirical tests of modal decision procedures. It elimi- 
nates or drastically reduces the influence of a major flaw of the previous method,^ and allows for 
generating a much wider variety of problems. 

In Section 2 we recall a list of desirable features for good test sets. In Section 3 we briefly 
survey the state-of-the-art test methods. In Sections 4 and 5 we present and discuss the basic and 
the advanced versions of our new test method respectively, and evaluate their features by presenting 
a large amount of empirical results. In Section 6 we provide a theoretical result showing how 
the advanced version of our method, in principle, can cover the whole input space. In Section 7 
we discuss the features of our new method, and compare it wrt. the state-of-the-art methods. In 
Section 8 we conclude and indicate possible future research directions. 

A 5-page system description of our random generator has been presented at IJCAR'2001 (Patel- 
Schneider & Sebastiani, 2001). 

2. Desirable Features for Good Test Sets 

The benefits of empirical testing depend on the characteristics of the inputs provided for the testing, 
as empirical testing only provides data on these particular inputs. If the inputs are not typical or 
suitable, then the results of the empirical testing will not be useful. This means that the inputs 
for empirical testing must be carefully chosen. With Horrocks (Horrocks et al., 2000) we have 
previously proposed and motivated the following key criteria for creating good test sets. 

Representativeness: The ideal test set should represent a significant sample of the whole input 
space. A good empirical test set should at least cover a large area of inputs. 

Difficulty: A good empirical test set should provide a sufficient level of difficulty for the system(s) 
being tested. (Some problems should be too hard even for state-of-the-art systems, so as to 
be a good benchmark for forthcoming systems.) 

Termination: To be of practical use, the tests should terminate and provide information within a 
reasonable amount of time. If the inputs are too hard, then the system may not be able to 
provide answers within the established time. This inabihty of the system is of interest, but 
can make system comparison impossible or insignificant. 

2. That is, a significant amount of inadvertently trivial problems are generated unless the parameter p is set to (Hor- 
rocks et al., 2000). See Section 4.1 for a full discussion of this point. 
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Scalability: The difficulty of problems should scale up, as comparing absolute performances may 
be less significant than comparing how performances scale up with problems of increasing 
difficulty. 

Valid vs. not-valid balance: In a good test set, valid and not-valid problems should be more or 
less equal both in number and in difficulty. Moreover, the maximum uncertainty regarding the 
solution of the problems is desirable. 

Reproducibility: A good test set should allow for easily reproducing the results. 

The following criteria derive from or are significant sub-cases of the main criteria above. 

Parameterization: Parameterized inputs with sufficient parameters and degrees of freedom allow 
the inputs to range over a large portion of the input space. 

Control: In particular, it is very useful to have parameters that control monotonically the key fea- 
tures of the input test set, like the average difficulty and the "valid vs. non-valid" rate. 

Modal vs. prepositional balance: Reasoning in modal logics involves alternating between two or- 
thogonal search efforts: pure modal reasoning and pure propositional reasoning. A good test 
set should be challenging from both viewpoints. 

Data organization: The data should be surmnarizable — so as to make a comparison possible with 
a limited effort — and plottable — so as to enable the qualitative behavior of the system(s) to 
be highlighted. 

Finally, particular care must be taken to avoid the following problems. 

Redundancy: Empirical test sets must be carefully chosen so as not to include inadvertent redun- 
dancy. They should also be chosen so as not to include small sub-inputs that dictate the result 
of the entire input. 

Triviality: A good test set should be flawless, that is, it should not contain significant subsets of 
inadvertent trivial problems. 

Artificiality: A good empirical test set should correspond closely to inputs from appUcations. 

Over-size: The single problems should not be too big w.r.t. their difficulty, so that the resources 
required for parsing and data managing do not seriously influence total performance. 

These criteria, which are described and motivated in detail by Horrocks et al. (2000), have been 
proposed after a five-year debate on empirical testing in modal logics (Giunchiglia & Sebastiani, 
1996; Heuerding & Schwendimann, 1996; Hustadt & Schmidt, 1999; Giunchigha et al, 2000; 
Horrocks & Patel-Schneider, 2002). (Notice that some of these criteria are identical or similar to 
those suggested by Heuerding & Schwendimann, 1996.) 

The above criteria are general, and in some cases they require some interpretation. First, some 
of them have to be implicitly interpreted as "unless the user deliberately wants the contrary for some 
reason". For instance, it might be the case that one wants to deliberately generate easy problems, 
e.g., to be sure that the tested procedure does not take too much time to solve them, or redundant 
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problems, e.g., to test the effectiveness of some redundancy elimination technique, or satisfiable 
problems only, e.g., to test incomplete procedures. To this extent, the key issue here is having a 
reasonable form of control over these features, so that one can address not only general-purpose 
criteria, but also specific desiderata. 

Second, in some cases, there may be a tradeoff between two distinct criteria, so that it may 
be necessary to choose only one of them, or to make a compromise. One example is given by 
redundancy and artificiality: in some real- world problems large parts of the knowledge base are 
irrelevant for the query, whose result is determined by a small subpart of the input; in this sense 
eliminating such "redundancies" may make problems more "artificial". 

Particular attention must be paid to the problem of triviality, as it has claimed victims in many 
areas of AI. In fact, flaws (i.e., inadvertent trivial problems) have been detected in random generators 
for SAT (Mitchell, Selman, & Levesque, 1992), CSP (Achlioptas, Kirousis, Kranakis, Krizanc, Mol- 
loy, & Stamatiou, 1997; Gent, Maclntyre, Prosser, Smith, & Walsh, 2001), modal reasoning (Hus- 
tadt & Schmidt, 1999) and QBF (Gent & Walsh, 1999). Thus, the notion of "trivial" (and thus 
"flawed") deserves more comment. 

In the work by Achlioptas et al. (1997) flawed problems are those solvable in linear time by 
standard CSP procedures, due to the undesired presence of implicit unary constraints causing some 
variable's value to be inadmissible. A similar notion holds for SAT (Mitchell et al., 1992) and QBF 
(Gent & Walsh, 1999). In the literature of modal reasoning, instead, the typical flawed problems 
are those whose (un)satisfiability can be verified directly at propositional level, that is, without 
investigating any modal successors; this kind of problems are typically solved in negligible time 
w.r.t. other problems of similar size and depth (Hustadt & Schmidt, 1999; Giunchiglia et al., 2000; 
Horrocks et al., 2000).^ Thus, with a little abuse of notation and when not otherwise specified, in 
this paper we will call trivially (un)satisfiable the problems of this kind."^ 

3. An Overview of the State-of-the-art 

Previous empirical tests have mostly been generated by three methods: hand-generated formulae 
(Heuerding & Schwendimann, 1996), randomly-generated clausal modal formulae (Giunchiglia & 
Sebastiani, 1996; Hustadt & Schmidt, 1999; GiunchigUa et al., 2000), and randomly-generated 
quantified boolean formulae that are then translated into modal formulae (Massacci, 1999). 

We have already presented a detailed analysis of these three methods (Horrocks et al., 2000). 
Here we present only a quick overview of the latter two methods, as we will refer to them in follow- 
ing sections.^ 

3.1 The 3CNFn^ Random Tests 

In the 3CNFn^ test methodology (Giunchiglia & Sebastiani, 1996; Hustadt & Schmidt, 1999; 
Giunchiglia et al., 2000), the performance of a system is evaluated on sets of randomly gener- 
ated 3CNFn^ formulae. A CNFn^ formula is a conjunction of CNFn^ clauses, where each clause 

3. Of course here by "modal" we implicitly assume the modal depth be strictly greater than zero, that is, we do not 
consider purely propositional formulas. 

4. Notice that we do not use the more suitable expression "propositionally (un)satisfiable" because the latter has been 
used with a different meaning in the literature of modal reasoning (see, e.g., Giunchiglia & Sebastiani, 1996, 2000). 

5. The first method (Heuerding & Schwendimann, 1996) is obsolete, as the formulae generated are too easy for current 
state-of-the-art deciders (Horrocks et al., 2000). 
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is a disjunction of either prepositional or modal literals. A literal is either an atom or its negation. 
Modal atoms are formulae of the form □jC, where C is a CNFn^ clause. A 3CNFn^ formula is a 
CNFn^ formula where all clauses have exactly 3 literals. 

3.1.1 The Random Generator 

A 3CNFn^ formula is randomly generated according to five parameters: the (maximum) modal 
depth d; the number of clauses in the top-level conjunction L; the number of propositional variables 
N; the number of distinct box symbols m; and the probabihty p of an atom occurring in a clause at 
depth < d being purely propositional. 

The random 3CNFn^ generator, in its final version (Giunchiglia et al., 2000), works as follows: 

• a 3CNFn^ formula of depth d is produced by randomly generating L 3CNFn^ clauses of 
depth d, and forming their conjunction; 

• a 3CNFn^ clause of depth d is produced by randomly generating three distinct, under com- 
mutativity of disjunction, 3CNFn^ atoms of depth d, negating each of them with probability 
0.5, and forming their disjunction; 

• a propositional atom is produced by picking randomly an element of {^i,...,^jv} with 
uniform probabihty; 

• a 3CNFn^ atom of depth d > is produced by generating with probabihty p a random 
propositional atom, and with probability 1 — p a. 3CNFn^ atom n^C, where is picked 
randomly in {Di, . . . , 0^} and C is a randomly generated 3CNFn^ clause of depth d — I. 

Recently Horrocks and Patel-Schneider (2002) have proposed a variant of the 3CNFn^ random 
generator of Giunchiglia et al. (2000). They added four extra parameters: np and rim, representing 
respectively the probability that a propositional and modal atom is negated, and Cmin and Cmax, 
representing respectively the minimum and maximum number of modal literals in a clause, with 
equal probability for each number in the range. For their experiments, they always set Up = 0.5 
and Cmin = Cmax = 3. To this extent, 3CNFn^ formulas can be generated as in the generator of 
Giunchiglia et al. (2000) by setting Hp = Um = 0.5 and Cmin = Cmax = 3. 

3.1.2 Test Method & Data Analysis 

The 3CNFn„ test method works as follows. A typical problem set is characterized by a fixed 
N, m, d and p: L is varied in such a way as to empirically cover the "100% satisfiable — 100% 
unsatisfiable" transition. Then, for each tuple of the parameters' values (data point from now on) 
in a problem set, a certain number of 3CNFn^ formulae are randomly generated, and the resulting 
formulae are given in input to the procedure under test, with a maximum time bound. Satisfiability 
rates, median/percentile values of the CPU times, and median/percentile values of other parameters, 
e.g., number of steps, memory, etc., are plotted against the number of clauses L or the ratio of 
clauses to propositional variables L/N. 

3.2 The Random QBF Tests 

In QBF-based benchmarks (such as part of the TANCS'99 benchmarks (Massacci, 1999)), sys- 
tem performances are evaluated on sets of random quantified boolean formulae, which are gener- 
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ated according to the method described by Cadoh, Giovanardi, and Schaerf (1998) and Gent and 
Walsh (1999) and then converted into modal logic by using a variant of the conversion by Halpem 
and Moses (1992). 

3.2.1 The Random Generator 

Random QBF formulae are generated with alternation depth D and at most V variables at each 
alternation. The matrix is a random prepositional CNF formula with C clauses of length K, with 
some constraints on the number of universally and existentially quantified variables within each 
clause. (This avoids the problem of generating flawed random QBF formulae highlighted by Gent 
& Walsh, 1999.) For instance, a random QBF formula with D = 3,V = 2 looks Uke: 

VU32U31-3W22W21.V?;12W11.3UO2WO1.'0[W32, ■■■,'"01]. (1) 

Here ^ is a random CNF formula with parameters C, V and D. We will denote with U and E 
the total number of universally and existentially quantified variables respectively. Clearly, both U 
and E wee 0{D ■ V). Moreover, tp is the modal formula resulting from Halpem and Moses' K 
conversion, so both the depth d and the number of propositional variables TV of (/j are also 0{D-V). 

3.2.2 Test Method & Data Analysis 

The test method, as it was used in the TANCS competition(s) (Massacci, 1999), works as follows. 
The tests are performed on single data points. For each data point, a certain number of QBF 
formulae are randomly generated, converted into modal logics and the resulting formulae are given 
as input to the procedure being tested, with a maximum time bound. The number of tests which 
have been solved within the time-Umit and the geometrical mean time for successful solutions are 
then reported. Data are rescaled to abstract away machine and run-dependent characteristics. This 
results typically in a collection of tables presenting a data pair for each system under test, one data 
point per row. 

4. A New CNFn^ Generation Method: Basic Version 

From our previous analysis (Horrocks et al., 2000) we have that none of the current methods are 
completely satisfactory. To cope with this fact, we propose here what we beheve is a much more sat- 
isfactory method for randomly generating modal formulae. The new method can be seen as an im- 
proved and much more general version of the random 3CNFn^ generation method by Giunchiglia 
et al. (2000). 

We present our new method by introducing incrementally its new features in two main steps. In 
this section we introduce a basic version of the method, wherein 

• we provide a new interpretation for the parameter p (Section 4.1) that allows for varying p 
without causing the flaws described in Horrocks et al. (2000); and 

• we extend the interpretation for the parameter C (Section 4.3), providing a more fine-grained 
way for tuning the difficulty of the generated formulae. 

In Section 5, we present the full, advanced version of the method, wherein 
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• we further extend the parameters p and C, allowing for shaping explicitly the probability 
distribution of the propositional/modal rate and the clause length respectively (Section 5.1); 
and 

• we allow p and C vary with the nesting depth of the subformulae (Section 5.2), allowing for 
different distributions at different depths. 

To investigate the properties of our CNFn^ generator we also present a series of experiments with 
appropriate settings either to mimic previous generation methodologies or to produce improved or 

new kinds of tests. 

In all tests we have adopted the testing criteria of the 3CNFn^ method. For each test set, we 
fixed all parameters except L, which was varied to span at least the satisfiability transition area. 
(Because of the "Valid vs. non-valid balance" feature of Section 2, we consider the transition area 
to be the interesting portion of the test set.) For almost all test sets we varied L from N to 12QN, 
150iV, or 200iV, resulting in integral values for L/N ranging from 1 to 120, 150, or 200. For each 
value of L we generated 100 formulae, a sufficient number to produce reasonably reliable data. A 
time limit of 1000 seconds was imposed on each attempt to determine the satisfiability status of a 
formula. As it is common practice, we set the number of boxes m to 1 throughout our testing. This 
setting for m produces the hardest formulae (Giunchigha & Sebastiani, 1996; Hustadt & Schmidt, 
1999; Giunchiglia et al., 2000). We performed several test sets with similar parameters, often, but 
not always, varying only N. 

We tested our formulae against two systems, DLP version 4.1 (Patel-Schneider, 1998) and 
*SAT version 1.3 (Tacchella, 1999), two of the fastest modal decision procedures. They are avail- 
able at http://www.bell-labs.com/usr/pfps/dlp and http://www.mrg.dist.unige.it/~tacrespectively. 
All the code used to generate the tests is available at http://www.bell-labs.COm/usr/pfps/dlp. 

We plotted the results of our test groups (test sets with similar parameters) on six or four plots. 
Two plots were devoted to the performance of DLP, one showing the median and one showing the 
90th percentile time taken to solve the formulae at each value of L, plotted against L/N. For those 
test groups were we ran *SAT we also plotted the median and 90th percentile for *SAT. 

We also plotted the fraction of the formulae that are determined to be satisfiable or unsatisfiable 
by DLP within the time limit.^ To save space, satisfiability and unsatisfiability fractions are plotted 
together on a single plot. Satisfiability fractions are higher on the left side of the plot while unsat- 
isfiabiUty fractions are higher on the right. This multiple plotting does obscure some of the details, 
but the only information that we are interested in here is the general behavior of the fractions, which 
is not obscured. In fact, the multiple plotting serves to highlight the crossover regions, where the 
satisfiability and unsatisfiability fractions are roughly equal. 

Finally, we plotted the fraction of the formulae where DLP finds a model or determines that 
the formula is unsatisfiable without investigating any modal successors. We call these fractions 
the trivial satisfiability and trivial unsatisfiability fractions. These last fractions are an estimate 
of the number of formulae that are satisfiable in a Kripke structure with no successors — like, e.g., 
(^1 V □1^2) — and that have no propositional valuations — Uke, e.g., (Di^i A -iDi^i) — respec- 
tively. For various reasons, discussed below, they are better indicators of triviality than the more 

6. Notice that the two curves are symmetric with respect to 0.5 if and only if no test exceeds the time limit. E.g., if 

at some point 40% of the tests are determined to be satisfiable by DLP, 10% are determined to be unsatisfiable and 
50% are not solved within the time limit, then the two curves are not symmetric at that point, as 0.40 ^ 1 — 0.10. 
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formal measures used in previous papers. Again, trivial satisfiability and unsatisfiabiUty fractions 
are plotted together on a single plot. 

To reduce clutter on the plots, we used a line to show the results for each value of L we tested. 
To distinguish between the various lines on a plot, we plotted every five or 10 data points with a 
symbol, identified in the legend of the plot. 

Running the tests presented in this paper required some months of CPU time. Because of this, 
we ran our tests on a variety of machines. These machines range in speed from a 296MHz SPARC 
Ulti-a 2 to a 400MHz SPARC Ultra 4 and had between 256MB and 512MB of main memory. No 
machines were completely dedicated to our tests, but they were otherwise lightly loaded. Each test 
set was run on machines with the same speed and memory. Direct comparison between different 
groups of tests thus has to take into account the differences between the various test machines. 

4.1 Reinterpreting the Parameter p 

One problem with the previous methods for generating CNFn^ formulae is that the generated for- 
mulae can contain pieces that make the entire formula easy to solve. This mostly results from the 
presence of strictly-propositional top-level clauses. With the small number of propositional vari- 
ables in most tests (required to produce reasonable difficulty levels for current systems), only a 
few strictly-propositional top-level clauses are needed to cover all the combinations of the proposi- 
tional literals and make the entire formula unsatisfiable. Previous attempts to eliminate this "trivial 
unsatisfiabiUty" have concentrated on eliminating top-level propositional literals by setting p = 
(Hustadt & Schmidt, 1999; Giunchiglia et al, 2000). (Unfortunately this choice forces d < 1, 
as for d > 1 such formulae are too hard for all state-of-the-art systems.) When each atom in a 
clause is generated independently from the other atoms of the clause an approach that modifies the 
probability of propositional atoms is necessary to eliminate these problematic clauses. 

The first new idea of our approach, suggested previously (Horrocks et al., 2000), works as 
follows. Instead of forbidding strictly-propositional clauses except at the maximum modal depth, d, 
by setting p = 0, we instead require that the ratio between propositional atoms in a clause and the 
clause size be as close as possible to the propositional probability p for clauses not at the maximum 
modal depth d. ^ 

For clauses of size C, if p is A;/ C for some integral k, this results in all clauses not at modal 
depth d having k propositional atoms and C — k modal atoms. For other values of p, we allow 
either \jyC\ or [j;C] propositional atoms in each clause not at modal depth d, with probability 
IpC] — pC and pC — \j)C\, respectively.^ For instance, Hp = 0.6 and C = 3, then each clause 
contains 1 propositional and 1 modal Uteral, and the third is propositional with probability 0.8, as 
3 • 0.6 - [3 • 0.6J = 1.8 - 1 = 0.8. If p < (C - 1)/C, this ehminates the possibility of strictly 
propositional clauses, which are the main cause of trivial unsatisfiabiUty, except at modal depth d. 



7. Other approaches to eliminating propositional unsatisfiability are possible. For example, it would be possible to 
simply remove any strictly-propositional clauses after generation. However, this technique would alter the meaning 
of the parameter p, that is, the actual probability for a literal to be propositional would become strictly smaller than 
p, and it will be out of the control of the user. 

8. Remember that \x\ =def max{n e Af\n < X} and \x] =def min{n € Af\n > X}. 
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Figure 1: Results for C = 3, m = 1, d = 1, and p = 0.5 (old method) 



4.1.1 Modal Depth 1 



Our first experiments were a direct comparison to previous tests. We generated CNFn^ formulae 
with C = 3, m = 1, d = I, and p = 0.5, a setting that has been used in the past, and one that 
exhibits some problematic behavior. We used both our new method and the old 3CNFn^ generation 
method by Giunchiglia et al. (2000) briefly described in Section 3.1 (the "old method" from now 
on). We also generated CNFn^ formulae with C = 3, m = 1, d = 1, and p = 0, the standard 
method for eliminating trivially unsatisfiable formulae. (At j; = our new method is the same as 
the old 3CNFn^ generation method.) The results of the tests are given in Figures 1, 2, and 3. 
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Figure 2: Results for C = 3, m = 1, d = 1, and p = 0.5 (our new method) 



One aspect of this set of tests is that all three collections have many trivially unsatisfiable formu- 
lae out of the satisfiabiUty transition area, even the collection with no top-level propositional atoms. 
The trivial unsatisfiability occurs in the collection with no top-level propositional atoms because 

there are only a few top-level modal atoms (e.g., 8 for A'' = 3) and both DLP and *SAT detect 
clashes between complementary modal literals without investigating any modal successors. 

The presence of this large number of trivially unsatisfiable formulae is not actually a serious 
problem with these tests. The trivial unsatisfiabiUty only shows up after the formulae are almost 
all unsatisfiable already and easy to solve. The only exception is for N = 3, which is trivial to 
solve anyway. However, our new generation method considerably reduces the number of trivially 
unsatisfiable formulae and almost entirely removes them from the satisfiable/unsatisfiable transition 
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Satisfiability and UnsatisfiabiUty Fractions Trivial Satisfiability and Unsatisfiability Fractions 
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Figure 3: Results for C = 3, m = 1, c? = 1, and p = (either method). 

area. There are some trivially satisfiable formulae in this set of tests, but only a few, and only for 
the smallest clause sizes. Their presence does not affect the difficulty of the generated formulae. 

The two methods with p = 0.5 are relatively close in maximum difficulty, with our new method 
generating somewhat harder formulae. However, our method produces difficult formulae, for both 
DLPand *SAT, over a much broader range of L/N than does the original method. 

Changing to p = results in formulae that are orders of magnitude harder. This is not good, 
previous arguments to the contrary notwithstanding, as we would Uke to have a significant number 
of reasonable test sets to work with, and p = allows only consideration of a very few values for 
N before the formulae are totally impossible to solve with current systems, resulting in very few 
reasonable test sets. 
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So, at a maximum modal depth of d = 1 our method resuhs in formulae that are of similar 
difficulty to the previously-generated formulae and still have trivially unsatisfiable formulae, but 
ones that do not seriously affect the difficulty of the test sets. 

4.1.2 Modal Depth 2 

Restricting attention to a maximum modal depth of c? = 1 is not very useful. Formulae with max- 
imum modal depth of 1 are not representative of modal formulae in general, particularly as they 
have no nested modal operators. Sticking to a maximum modal depth of 1 seriously Umits the 
significance of the generated tests. 

We would thus like to be able to perform interesting experiments with larger maximum modal 
depths. So we performed a set of experiments with a maximum modal depth of c? = 2. We started 
with a set of tests that corresponds to previously-performed experiments. 

At depth d = 2, in the old method for p = 0.5 the time curves are dominated by a "half-dome" 
shape, whose steep side shows up where the number of trivially unsatisfiable formulae becomes 
large before the formulae become otherwise easy to solve, as shown in Figure 4. In fact, nearly all 
the unsatisfiable formulae here are trivially unsatisfiable. 

This is an extremely serious flaw, as the difficulty of the test set is being drastically affected 
by these trivially unsatisfiable formulae. Changing to j; = is not a viable solution because at 
depth d = 2 such formulae are much too difficult to solve, as shown in Figure 5, where the median 
percentile exceeds the timeout before any formulae can be determined to be unsatisfiable, even for 
3 prepositional variables. 

With our new method, as shown in Figure 6, the formulae are much more difficult to solve than 
the old method, because there is no abrupt drop-off from prepositional unsatisfiability, but they are 
much easier to solve than those generated with p = 0. Further, trivially unsatisfiable formulae do 
not appear at all in the interesting portion of the test sets. 

Nevertheless this choice of parameters (d = 2, p = 0.5) is not entirely suitable. The formulae 
are becoming too hard much too early. In particular, there are no unsatisfiable formulae that can 
be solved for N > 3, and thus the unsatisfiability plots cannot be distinguished from the x axis 
(recall Footnote 6). However, our new method does provide some advantages already, providing an 
interesting new set of tests, albeit one of limited size. 

4.2 Increasing p 

We would like to be able to produce better test sets for depth d = 2 and greater. One way of 
doing this is to increase the prepositional probability p from 0.5 to something like 0.6, increasing 
the number of prepositional atoms and thus decreasing the difficulty of the generated formulae. 
This would be very problematic with previous generation methods as it would result in the trivially 
unsatisfiable formulae determining the results for even smaller numbers of clauses L, but with our 
method here it is not much of a problem. 

To investigate the increasing of the the prepositional probability, we ran a collection of tests with 
maximum medal depth d = 2 and prepositional probability p = 0.6 with both the eld method and 
our new method. The results of these tests are given in Figures 7 and 8. As before, the asymmetries 
between the satisfiability and unsatisfiability curves in Figure 8 for TV = 5, 6 are due to the fact that 
many tests are not solved by DLP within the time limit (c.f.. Footnote 6). 
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Figure 4: Results for C = 3, m = 1, d = 2, and p = 0.5 (old method) 



As expected, the old method produces large numbers of trivially unsatisfiable formulae. These 
trivially unsatisfiable formulae show up much earlier than with p = 0.5, making the tests consider- 
ably easier, especially for *SAT. 

Our new method produces hard formulae, but ones that are quite a bit easier than for p = 0.5. 
In particular, DLP solved all instances within the time limit for N = A. Trivially unsatisfiable 
formulae do show up, but only well after the formulae are already unsatisfiable, and they do not 
significantly affect the difficulty of the tests. 

So our method allows the creation of more-interesting tests at modal depths greater than 1, 
simply by adjusting p to a value where the level of difficulty is appropriate. Trivial unsatisfiability 
is not a problem, whereas in the old method it was the most important feature of the test. 
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Figure 5: Results for C = 3, m = 1, c? = 2, and p = (either method) 



4.3 Changing the Size of Clauses 

A problem with increasing the propositional probability is that formulae become "too propositional" 
— that is, the source of difficulty becomes more and more the propositional component of the prob- 
lem, and not the modal component. As we are interested in modal decision procedures, we do not 
want the main (or only) source of difficulty to be propositional reasoning. 

We decided, therefore, to investigate a different method for modifying the difficulty of the gen- 
erated formulae. We instead allow the number of literals in a clause C to vary in a manner similar to 
the number of propositional atoms. If C is an integer then each clause has that many literals. Oth- 
erwise, we allow either [CJ or \C] literals in each clause, with probability \C] — C and C — [CJ , 
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Figure 6: Results for C = 3, m = 1, d = 2, and p = 0.5 (our new method) 

respectively. We then determine the number of propositional atoms in each clause based on the 
number of literals in that clause. 

We generated CNFn^ formulae with C = 2.5, m = I, d = I, andp = 0.5. The change from 
C = 3 to C = 2.5 produces fewer disjunctive choices and should result in easier formulae. The 
results of these tests are given in Figure 9. 

These formulae are much easier than those generated with C = 3, although they are still quite 
hard and form a reasonable source of testing data. Trivially unsatisfiable formulae appear in large 
numbers only well after the formulae are all unsatisfiable and relatively easy. 

To further illustrate the reduction in difficulty with smaller values of C we generated formulae 
using C = 2.25, m = 1, d = 1, and p = 0.5. As shown in Figure 10, these formulae are even easier 
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Figure 7: Results for C = 3, m = 1, d = 2, and p = 0.6 (old method) 



than for C = 2.5. Trivially unsatisfiable formulae do appear, but again only after the formulae 
become all unsatisfiable, and not until the formulae become easy, particularly for *SAT. 

At C = 2.25 we now have a reasonable set of formulae for maximum modal depth d = 2. 
With a maximum modal depth of 2, the formulae are much more representative than formulae with 
maximum modal depth of 1. The formulae are neither too easy nor too hard for current modal 
decision procedures so the satisfiability transition can be investigated for significant numbers of 
propositional variables. 

Further, with this new method we can provide a collection of test sets that vary in difficulty 
by varying C. Most previous comparative test sets varied N, which is problematic because most 
interesting parameter sets become too hard for small values of N, in the range of 6 to 10. 
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Figure 8: Results for C = 3, m = 1, d = 2, and p = 0.6 (our new method) 



To illustrate the effects of varying C we generated formulae using N = i, m = 1, d = 1, and 
p = 0.5, varying C from 2.2 to 2.8. As shown in Figure 11, this produces an interesting set of tests. 
The difficulty levels can be set appropriately. Trivially unsatisfiable formulae do appear, but only 
after the formulae become unsatisfiable anyway. Trivially unsatisfiable formulae do not influence 
the difficulty of the test. 
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Figure 9: Results for C = 2.5, m = I, d = 2, and p = 0.5 (our new method) 



4.3.1 Modal Depth 3 

Our method can be used to generate interesting test sets with modal depth d = 3. This depth is not 
at all interesting with previous methods — either the formulae are immensely difficult, such as for 
p = 0, or the behavior is dominated by trivial unsatisfiability, such as for j; = 0.5. 

For interesting levels of difficulty, we do have to reduce C to values below 2.5. If C is much 
larger, the formulae are too hard. However, with C < 2.5 we can produce interesting test sets, as 
shown in Figure 12. (The relevant asymmetry between the satisfiable and unsatisfiable rates curves 
forN>5 is due to the high amount of tests exceeding the time limit.) Here the problems are hard 
even for N <5 but doable, and there are no problems with trivially (un)satisfiable formulas. 
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Figure 10: Results for C = 2.25, m = I, d = 2, and p = 0.5 (our new method) 

Our method now allows us fine control of the difficulty of tests. To make a test easier, we can 
just reduce the size of clauses by reducing the value(s) of C, or increase the propositional probability 
p. This control was missing with the previous method, as C was restricted to integral value, and, 
anyway, was always set to 3 and making p much different from 0.0 resulted in problems with trivial 
unsatisfiability for maximum modal depths greater than 1 . 



5. A New CNFn^ Generation Method: Advanced Version 

Actually, our generator is much more general than what we have described so far. We allow direct 
specification of the probability distribution of the number of propositional atoms in a clause, and 
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Figure 11: Results for N = i, m = 1, d = 2, and p = 0.5 (our new method) 

allow the distribution to be different for each modal depth from the top level to c? — 1. We also allow 
direct specification of the probability distribution for the number of literals in a clause at each modal 
depth. Thus, the probability distribution for the number of propositional atoms depends on both the 
modal depth and the number of literals in the clause. 

5.1 Generalization: Shaping the Probability Distributions. 

The generator has two parameters to control the shape of formulae. The first parameter, C, is a 
Ust of Usts (e.g., [[0,0,1]]) telling it how many disjuncts to put in each disjunction at each 
modal level. Each internal Ust represents a finite discrete probabihty distribution. For instance, the 
"[0,0,1]" says "0/1 of the disjunctions have 1 disjunct, 0/1 have 2 disjuncts, and 1/1 have 3 
disjunctions" (fixed length 3). Because there is only one element of the list, this frequency is used at 
each modal depth, until the last. Other possibilities are, e.g., [[1,1,1,1]] (maximum length 4 
with uniform distribution), [[16,8,4,2,1]] (maximum length 5 with exponential distribution), 
and so on. 

The second parameter, p, is a list of lists of lists (e.g., [[[], [], [0,3,3,0]]]) that con- 
trols the propositional/modal rate. The top-level elements are for each modal depth (here all the 
same). The second-level elements are for disjunctions with 1,2,3,... disjunctions (here only the third 
matters as all disjunctions have three disjuncts). For instance, the "[0,3,3,0]" says "0/6 of the 
disjunctions have propositional atoms, 3/6 have 1 propositional atom, 3/6 have 2 propositional 
atoms, and 0/6 have 3 propositional atoms" (that is, our new scheme discussed in the paper with 
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Figure 12: Results for C = 2.25, m = 1, d = 3, and p = 0.5 



p = 0.5; the old scheme with p = 0.5 is represented by [ [ [ ] , [ ] , [1,3,3,1]]]). Notice that 
the first element of the distributions in C represents the value 1, whilst the first element of the dis- 
tributions in p represents the value 0. Setting the last element of each distribution to zero [ . . . , ] 
eliminates all strictly propositional clauses, which are the main cause of trivial unsatisfiability; this 
is the way we implement the constraint p < (C — l)/Cof Section 4.1. 
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1 function md-CNFn^(d,m,L,N,p,C) 

2 for i := 1 to L do /* generate L distinct random clauses */ 

3 repeat 

4 Cli := md-clause(d,m,N,p,C); 

5 until is_new( Ck); /* discards CI if it already occurs */ 

6 return Ck; 

7 function md-clause(d,m,N,p,C) 

8 K := rndJength(d,C); /* select randomly the clause length */ 

9 P .= md-propnum{d,p,Ky, I* select randomly the prop/modal rate */ 

10 repeat 

1 1 for j := 1 to P do /* generate P distinct random prop, literals */ 

12 Ij := rndsign()-rnd_atom(0,m,N,p,C); 

13 for j := P+1 to K do /* generate K-P distinct random modal literals */ 

14 Ij := mdsign()-rnd-atom(d,m,N,p,Cy, 

15 Cl:=\l%^lj; 

16 until no_repeated_atomsJn(Cl); /* discards CI if contains repeated atoms */ 

17 return Sort{Cl); 

18 function mdjatom(d,m,N,p,C) 

19 if d=0 

20 then return md^ropositiormLatom(N); I* select randomly a prop, atom */ 

21 else 

22 ."= rand-box(m); /* select randomly an indexed box */ 

23 CI := rand-clause(d-l ,m,N,p,C); 

24 return Uj-Cl ; 



Figure 13: Schema of the new CNFn^random generator. 



For instance, the plots of Figures 1-12 can be obtained with the following choices of C and p: 
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Our generator works as described in Figure 13. The function isjiew(Cli) checks if Cli / 
Clj, V j < i; mdJength(d,C) selects randomly the clause length according to the d + 1-th dis- 
tribution in C (e.g, if d is 1 and C is [[0,1,1] [1,2] [ 1 ] ] , it returns 1 with probability 1/3 
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and 2 with probability 2/3); md4)ropnum(d,p,K) selects randomly the number of propositional 
atoms per clause P according to the [d + 1, K]-th distribution in p (e.g, if d is 1, ii' is 2 and p is 
[[[], [0,1,0], [0,1,0,0]] [[1,0] [0,1,0] ] ] , it returns 1 deterministically); md^ign 
selects randomly either the positive or negative sign with equal probability; noj-epeated-atomsJn( CI) 
checks if the clause CI contains no repeated atom; Sort( CI) returns the clause CI sorted according 
to some criterium; md_propositional_atom(N) selects with uniform probability one of the N propo- 
sitional atoms Ai, rndJbox(m) selects with uniform probability one of the m indexed boxes U^. 

When eliminating duplicated atoms in a clause, we take care not to disturb these probabihties 
by first determining the "shape" of a clause (rows 8-9 in Figure 13), and only then instantiating that 
with propositional variables (rows 10-16 in Figure 13). If a clause has repeated atoms, either propo- 
sitional or modal, the instantiation is rejected and another instantiation of the shape is performed. 
If we did not take care in this way we would generate too few "small" atoms because there are 
fewer small atoms than large atoms, resulting in a greater chance of rejecting small atoms because 
of repetition. 

The ehmination of duphcated atoms in a clause is not only a matter of elimination of redundan- 
cies, but also of elimination of a source of flaws. In fact, one might generate top-level clauses Uke 
... A (-ini(^i V -i^i) V -in2(^2 V -'^2)) A which would make the whole formula inconsistent. 

Example 5.1 We try to guess a parameter set by which the new random generator can potentially 
generate the following CNFn^ formula ip: 

( ^^3 V 01(^^4 V ^Di^i) V V ^01^2) )A 

( -Ai vni(A3 v-n-iAa) v-ni(ni-^4) )A 

( V ^01(^2 V Di^^i) )A ^' 

( ^1 v-ni(-ni^4) )• 

After a quick look we set m = 1, d = 2, A'' = 4, L = 4. At top level we have unary, 2 binary and 
2 ternary clauses; at depth 1 we have 2 unary and 4 binary clauses; at depth 2 we have only 6 unary 
clauses. Thus, we can set 

C = [ [0,2,2] , [2,4] , [6] ] . (3) 

At top level there are no unary clauses (we represent this fact by the empty list " [ ] "), the 2 bi- 
nary clauses have 1 propositional literal, and the 2 ternary clauses have 1 propositional literal; at 
depth 1, the 2 unary clauses have propositional literals, while the 4 binary clauses have 1 propo- 
sitional literal. (There is no need to provide any information for depth 2, as all clauses are purely 
propositional.) Thus, we can set 

P =[[[], [0,2,0], [0,2,0,0]] [[2,0], [0,4,0]]] . (4) 

The two expressions can then be normalized into: 

C = [ [ , 1 , 1 ] , [ 1 , 2 ] , [ 1 ] ] 

P =[[[], [0,1,0], [0,1,0,0]] [[1,0], [0,1,0]]]. 

Notice that any other setting of C, p obtained by changing the non-zero values in (5) into other 
non-zero values, or turning zeros into non-zeros (but not vice versa!), will do the work, just with a 
different probability. For instance, turning the first list in C into [1,1,1] allows for generating 
also unary clauses at top level; anyway, with probability (2/3)^ the generator may still produce 
formulae with only binary and ternary clauses at top level. □ 
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Figure 14: Results for DLPwith ci = 3, 4, iV = 3, 4, C 
P = [[[1,0], [0,1,0], [0,1,1,0]]] 



[1,8,1] ], 



As an illustration of our general method, we present a set of tests with m = 1, c? = 3, 4, 
N = 3,4„C=[[l,8,l]],andp=[[[l,0], [0,1,0], [0,1,1,0]]]. This set of tests 
introduces a small fraction of single-literal clauses that contain a modal literal (except at the greatest 
modal depth, where they contain, of course, a single propositional literal). The results of tests are 
given in Figure 14. Again, trivial instances occur only out the interesting zone. Here we can generate 
interesting test sets even with modal depth 4. 



5.2 Varying the Probability Distributions with the Depth 

Our new method provides the ability to fine-tune the distribution of both the size and the propo- 
sitional/modal rate of the clauses at every depth. This fine tuning results in a very large number 
of parameters, and so far in this paper we have only investigated distributions that conform to the 
scheme described above or ones that correspond to the 3CNFn^ generation method previously used. 

To give an example of how to vary the probability distributions with the nesting depth of the 
clauses, we consider the case with d = 4, 5, m = 1, N = 3, 4, 5, C =[[1,8,1], [1,2]], 
p = [[[1,0], [0, 1,0] , [0,1, 1, 0] ] , [ [1,0] , [0,1, 0] ] ] . The results of the tests are 
given in Figure 15. 

The C parameter says that the probability distributions of the length of the clauses occurring at 
nesting depth and > 1 are [1,8,1] and [1,2] respectively. (When not explicitly specified, it is 
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Figure 15: Results for DLPwith d = 4, 5, m = 1, = 3, 4, 5, C = [ [ 1 , 8 , 1 ] , [ 1 , 2 ] ] , 
p = [[ [1,0], [0,1,0], [0,1,1,0]], [[1,0], [0,1,0]]]. 



considered the last distribution by default, as in the case of depth > 1.) Thus, the top-level clauses 
are on average 1/10 unary, 8/10 binary 1/10 ternary, while the clauses occurring at depth > 1 are 
on average 1/3 unary and 2/3 binary. 

The p parameter says that the lists of probability distributions of the propositional/modal ratio 
at nesting depth and > 1 are [[1,0], [0,1,0], [ , 1 , 1 , ] ] and [[1,0], [ , 1 , ]] re- 
spectively. Thus, at every depth, unary clauses have no propositional literal and binary clauses have 
1 propositional and 1 modal literal. The top-level ternary clauses have either 1 or 2 propositional 
literals, with equal probability. 

Notice that at top level the distributions are identical to those of Figure 14, whilst at depth > 1 
there are no more ternary clauses and a higher fraction of unary clauses. These slight modifica- 
tions allow reasonable test sets with d = 5 and N = 5. Moreover, trivial instances have nearly 
disappeared. 



6. Generality of the IMethod 

We have already observed (Horrocks et al., 2000) that for normal modal logics, from K^^^) upward, 
there is no loss in the restriction to CNFn^ formulae, as there is an equivalence between arbitrary 
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normal modal formulae and CNFn^ formulae . We may wonder how well our generation tech- 
nique covers the whole space of CNFn„j formulae, and how well we can approximate a restricted 
subclass of this space. Example 5.1 represents an instance of a very general property of our random 
generation technique, which we present and discuss below. 

Now we assume that the rnd_CNFn^ of Figure 13 is a "purely random" generator, i.e., it per- 
forms all non-deterministic choices independently and in a pure random way. (Of course pseudo- 
random generators only approximate this feature.) Moreover, with no loss of generality, we restrict 
our discussion to CNFn^ formulae which have no repeated clauses at top level and no repeated 
atoms inside any clause at any level, and in which atoms are sorted within each clause, accord- 
ing to the generic function Sort() of Figure 13. The former allows for considering only formulae 
which are already simplified out; the latter allows for considering only one representative for each 
class of formulae which are equivalent modulo order permutations. As discussed by Giunchiglia 
etal. (2000), the latter allows for further simplifying subformulae like, e.g., a{Ai'VA2)\/0{A2'VAi) 
or 0(^1 V A2) V ^0(^2 V ^1). 

Let (p he a sorted CNFn^ formula of depth d and with L top-level clauses built on all the 
propositional atoms {Ai, ...A]\r} and on all the modal boxes {Di, ...□„}, which has no repeated 
clause at top level and no repeated atoms inside any clause at any level. Then we can construct C 
and p so that, for each i, j, r: 

(a) the j-th element of the i-th subhst in C is non-zero if and only if there is a clause of length j 
occurring at depth iiiKp, and 

(b) the r + 1-the element of the j-th sub-sublist of the i-th sublist in p is non-zero if and only if 
there is a clause of length j occurring at depth i which contains r propositional literals. 

One possible operative technique to build C and p works as follows. Initialize C as a Ust of c? + 1 
sublists. Then, for every depth level i G {0, c?}, set the i-th subhst of C as follows: 

(i) set the size K of the sublist as the maximum size of clauses occurring in (p at depth i; 

(ii) for all j G {!,.., K}, count the number of clauses of length j occurring in tp at depth i, and 
append the result to the subhst. 

Initialize p as a list of d sublists of sub-sublists. Then, for every depth level i G {0, d — 1}, set 
the i-th subhst of p as follows: 

(i) look at C : set the size K of the sublist as the maximum size of clauses occurring in ip at depth 

i; 

(ii) for all j G {!,.., K}, generate the j-th sub-subhst as follows: 

• look at C: if the number of clauses of length j occurring at depth i is non-zero, then set 
the length / of the sub-subhst to j + 1, else set / to 0; 

9. This holds for all modal normal logics from K-(m) upward, as the conversion works recursively on the depth of the 
formula, from the leaves to the root, each time applying to sub-formulae the propositional CNF conversion and the 
transformation 

I=It- A V '^'i =^ A V 'fi^i ' 

3 i i i 

which preserves validity in such logics. 
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• for all r G {0, .., / — 1}, count the number of clauses of length j occurring in ip at depth 
i which have r prepositional literals, and append the result to the sub-sublist. 

Example 5.1 represents an instance of application of the above technique for construction C and p 
from (p. Notice that the C and p parameters not only verify points (a) and (6) above, but are such 
that the probability distributions mimic the actual number of occurrences of the different kinds of 
clauses. 

Theorem 6.1 Let rnd-CNFn^ be a purely random generator as in Figure 13. Let (p be a sorted 
CNFu^ formula of depth d and with L top-level clauses built on all the propositional atoms in 
{y4i, ...^at} and on all the modal boxes in {Di, ...Dto}, which has no repeated clause at top level 
and no repeated atoms inside any clause at any level. Let C and p be built from ip so that to verify 
points (a) and (6) above. Let C andp' be obtained from C andp respectively by substituting some 
zero-values with some non-zero values. Then we have: 

(i) rnd-CNFn^(d,m,L,N,p,C) returns ip with some non-zero probability V; 

(ii) md_CNFu^(d,m,L,N,p',C') returns ip with some non-zero probability V' < V. 

Proof The fully-detailed proof is reported in Appendix. Here we sketch the main steps. 
The following facts come straightforwardly by induction on the structure of ip: 

1 . every propositional atom occurring in ip at some depth i is returned with the same non-zero 
probability Vi by both mdMtom(0,m,N,p,C) and rndMtom(0,m,N,p',C'); 

2. every modal atom dyCl occurring in ip at some depth i is returned with some non-zero proba- 
bility V2 by md-atom(d-i,m,N,p,C), and is returned with some non-zero probability V2 < 7^2 
by md-atom(d-i,m,N,p',C'y, 

3. every clause CI occurring in ip at some depth i is returned with some non-zero probability 
"Pa by rnd-clause(d-i,m,N,p,C), and is returned with some non-zero probability V'2, < Vy, by 
rnd_clause( d-i,m,N,p ', C). 

Thus, every top level clause Clk is returned by md-clause(d,m,N,p,C) and md_clause(d,m,N,p',C') 
with some non-zero probabilities Vk and V'k respectively, being V'k < Vk- From this fact, it comes 
straightforwardly that ip is returned by md-CNFn^(d,m,L,N,p,C) and md-CNFn^(d,m,L,N,p',C') 
with some non-zero probabilities V and V' respectively, being V' < V. Q.E.D. 

Q.E.D. 

From a theoretical viewpoint, Theorem 6.1 {%) shows that our generation technique is very 
general, because, for every CNFn^ formula ip, there exists a choice for the parameters s.t. a purely 
random generator returns ip with some non-zero probabihty V. 

Of course, the choice criterium for C and p suggested by points (a) and (6) is not unique as, 
for example, any other setting obtained from it by turning zeros into non-zeros would match the 
requirements. As an extreme case, we might think to do very general choices like 

C =[ [1,1,1, ...],.. .] p =[[[ [1,1] , [1,1,1] , [1,1,1,1] ...]] ]. (6) 

which guarantee to have every possible CNFn^ formula within a given bound in clause size with 
non-zero probability. Anyway, Theorem 6.1 (ii) shows that, extending the number of non-zeros 
values, the probability of generating ip decreases. 
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For instance, consider Example 5.1. Turning the first list in C of (5) into [1,1,1] would still 
allow for generating the formula (2), but it would allow for generating also unary clauses at top level 
with probability 1 — (2/3)^, which converges quickly to 1 with L. 

Usually we are not interested in randomly generating one precise formula with some non-zero 
probability — which would be rather small anyway — but rather to randomly generate a class of for- 
mulae which are as similar as possible a given target class of formulae. Adding redundant non-zeros 
would extend the range of shapes for formulae, extending the variance and lowering the resemblance 
to the target class of formulae. 

7. Discussion 

7.1 The Basic and the Advanced Method 

Our new testing method can be used at two different levels, depending on the attitude — and on the 
skills and experience — of the user. 

In the basic usage the clause length C is represented by lists with either only one non-zero 
element (e.g., [[0,0,1]], meaning "clause length 2") or only two adjacent non-zero elements 
(e.g., [[0,2,1]], meaning "clause length 2 or 3, with probability 2/3 and 1/3 respectively"); 
similarly, the propositional/modal rate p is represented by lists with either only one non-zero element 
(e.g., [[[],[], [0,1, 0,0]]], meaning "1 propositional Uteral per clause") or only two non- 
zero adjacent elements (e.g., [[[], [], [0,3,2,0]]], meaning "either 1 or 2 propositional 
hterals per clause, with probabiUty 3/5 and 2/5 respectively"); the distributions do not vary with 
the depth. 

In the basic way the random generator is used as a "flawless"^'' extension of the 3CNFn^ 
method of Giunchiglia and Sebastiani (1996), which allows for setting the clause length to either 
fixed integer values or to non-integer average values. The number of parameters is kept relatively 
small, so that to allow a coarse-grained coverage of a significant subspace with an affordable number 
of tests. 

In the advanced usage, it is possible to apply any finite probabiUty distributions to both C and p; 
moreover, it is possible to use different distributions at different depths. This opens a huge amount 
of possibilities, but requires some skills and experience from the user: the representation of sophis- 
ticated multi-level distributions may be rather complicated, and may thus require some practice; 
moreover, the usage of complex distributions requires some care, as the presence non-constant dis- 
tributions in both clause length and propositional/modal rate may significantly enlarge the variance 
of the features of the generated formulae, making the effects of the tests more unpredictable and 
instance-dependent. 

In order to guide the user, we provide some general suggestions for choosing the parameter sets 
in a testing session. They come from both theoretical issues and our practical experience in using 
the generator. 

• Avoid generating purely propositional top-level clauses, that is, set p = [[..., ],...] . 
See Sections 4.1 and 5.1. If possible, avoid generating unary top-level clause, that is, set C 
= [[ ,...],...]). See also Section 7.5. 

10. In the sense of "free from the flaw highlighted in the work by Hustadt and Schmidt (1999) and GiunchigUa 
et al. (2000)". 
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• In organizing a testing session, fix the parameter sets according to the following order and 
directives. 

(i) Fix d. With d= 1 the search is mostly dominated by its propositional component, with 
d>2 it tends to be dominated by its modal component. d=2 is typically a good start. 

(ii) Fix m. m substantially partitions the problem into m independent problems. Increasing m, 
the samples tend to be more likely-satisfiable. m=l is typically a good start. 

(iii) Set C. Increasing the top level values of C, the samples tend to be more Ukely-satisfiable 
and the propositional component of search increases, so that the transition area moves 
to the right and the hardness peaks grow. Average values in [2.0, 3.0] for the top level 
distributions of C are typically a good start. 

(iv) Set p. Decreasing the top level values of p, the modal component of search increases. 
For the the top level distributions of p, having on average half of top-level atoms propo- 
sitional (that is, the p = 0.5 of Section 4) is typically a good start. 

(v) For each choice of the above parameters, increase N, starting from (at least) the maxi- 
mum length in C, until the desired level of hardness is reached. 

(vi) Make L vary within the satisfiability transition area. 

• When dealing with C and p, focus on top-level clause distributions first. Small variations 
of C and p at top level may cause big variations in hardness and satisfiabihty probability. 
Variations at lower levels typically cause much smaller effects. 

• Use convex distributions: e.g., [1,5,1] and [5,1,5] have the same mean value, but the 
variance of the former is much smaller than that of the latter. 

• Do keep L ranging in the satisfiabiUty transition area: increasing L out of it, the fraction of 

trivially unsatisfiable samples can become relevant. To determine the satisfiability transition 
area, make a preliminary check with few samples per point (say, 10) using dichotomic search. 

• Unlike N (and m), the parameters d, C, p make the formulas vary their shape. Thus, we 
suggest to group together plots with the same d, C and p values and increasing N's. 

On the whole, the large number of parameters makes it impossible to cover the parameter space 
in a reasonable amount of testing. However, just about any CNFn^ formula shape can be generated 
so that the method described in Section 6 can be used to produce random formulae reasonably 
similar to some formula(e) of interest. 

7,2 Comparison with the Old 3CNFn^ Method 

On the whole, the new method inherits all the features of the old 3CNFn method. 

Scalability: Increasing N, d (and also the average clause length in C) the difficulty of the generated 
problems scales up at will. Thus it is possible to compare how the performance of different 
systems scale up with problems of increasing difficulty, for each source of difficulty (e.g., 
size, depth, etc.). 

Valid vs. not-valid balance: The parameter L allows for tuning the satisfiability rate of the formula 
at will. Moreover, it is always possible to choose L to generate testbeds with about a 50%- 
satisfiable rate, which allows for the maximum uncertainty. 
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Termination: The new method allows for generating test sets of up to depth 3-4 which are run by 
state-of-the-art systems in a reasonable amount of time. 

Reproducibility: The results of each testbed are easy to reproduce because the generator's code 
and all the parameters' values are made pubUcly available. 

Parameterization: The random generation of CNFn^ formulae is fully parametric. 

Data organization: The most natural way to use the new random generator is to generate tests and 
plot data by increasing values of one or two parameters. This allows for easy, quantitative and 
qualitative evaluations of the performances of the different procedures under test. 

Moreover, the new method improves the 3CNFn^ method for the following features. 

Representativeness: As stated in Section 6, CNFn^^ formulae represent all formulae in the normal 
modal logics from ^(m) upward, as there is an equivalence-preserving way of converting all 
modal formulae into CNFn^. From Theorem 6.1, the new method allows for a very fine- 
grained sampling of the class of CNFn^ formulae. 

Difficulty: The random CNFq^ formulae with d >2 and N > 4 provide challenging test sets for 
state-of-the art procedures. CNFn^ formulae with d > 4 and TV > 9 can be well considered 
as challenges for next-generation systems. (Of course, it is not a problem to generate easy 
problems too.) 

Control: The parameters N, d and C allow for controlling monotonically the difficulty of the test 
set. (E.g., if you increase A'^, you are reasonably sure that your mean/median CPU time plots 
will increase.) The parameter L allows for controlling the satisfiability rate. Monotonicity 
allows for controlling one feature by simply increasing or decreasing one value, and thus for 
eliminating uninteresting areas of the input space. 

Modal vs. prepositional balance: The size of the Kripke models spanned by the decision proce- 
dures has increased exponentially with the higher modal depths reached by the new test sets; 
moreover, the probability of repeated top-level atoms has dramatically reduced. Conse- 
quently, unlike the tests by Hustadt and Schmidt (1999) and Giunchiglia et al. (2000) the 
search is no longer dominated by the pure propositional component of reasoning, and the 
empirical results show that a large number of modal successors are explored. 

Finally, the new method completely removes or drastically reduces the effects of the following 
problems. 

Redundancy: Propositional and modal redundancy had already been eliminated in the last versions 
of the 3CNFn^ method (Giunchiglia et al, 2000). Moreover, the new method allows for 
eliminating all strictly propositional clauses. 

Triviality: The main cause of trivial unsatisfiability has been removed, so that trivially unsatisfiable 
formulae have been relegated out of the transition areas in our experiments. 

11. The number of possible distinct modal atoms increases hyper-exponentially with d (Horrocks et al., 2000). 



380 



A New General Method to Generate Random Modal Formulae 



Artificiality: Our method allows the user to shape the test formulae so that to maximize the re- 
semblance to the expected typical inputs of his/her system(s). Of course, this is done within 
the limits imposed by randomness: the more irregular the typical input formulas, the higher 
the variance of the randomly generated formulas, the lower their average resemblance to the 
typical input formulas. 

Over-size: The new method allows for generating extremely hard problems with reasonable size. 
It comes from the analysis of the resulting data that hard problems require very big amounts 
of both search branches and modal successors generated, so that the search is not dominated 
by parsing and data managing. 

The generator presented by Horrocks and Patel-Schneider (2002), extends the 3CNFn^ gener- 
ator of Giunchiglia et al. (2000) too. However, our new generator allows for shaping the probability 
distributions of both C and p, and for using different distributions at every depth level. In principle, 
the generator of Horrocks and Patel-Schneider (2002) allows also for setting the probabilities np 
and rim by which prepositional and modal atoms are negated. However, this feature is not used 
very much — in the experiments by Horrocks and Patel-Schneider (2002) rip is always 0.5 and rim 
is different from 0.5 only in one experiment — and adds nothing to the generality of the generator, 
so that in our new generator we decided not to re-introduce it. 

7.3 Comparison with the QBF-based Method 

Before comparing our new CNFn^^ generation method with the QBF-based generation method, we 
must notice that, so far, they have been used in different ways, corresponding to the two different 
test techniques briefly summarized in Section 3. 

• In the TANCS competition(s) (Massacci, 1999), the tests have been performed on single 
data points, and the results are presented in the form of big tables, each entry consisting 
of the number of successful solutions and in the rescaled geometrical mean CPU time for 
such solutions. Two or more systems are compared according to their number of successful 
solutions, considering the geometrical mean CPU time value only when the result is even. 
This is due to the fact that a comparison between geometrical means is possible only if they 
are computed on the same number of successful values, or, for a more accurate comparison, 
on the same successful values. This method was chosen to guarantee the fairness of the 
comparison between the competitors, which is the key requirement in a competition. 

• In this paper instead, we have focused on highlighting both the qualitative and quantitative 
behavior of the system(s). Thus we have preferred plots to tables, and we have preferred 
representing percentiles CPU times rather than the number of successful solutions and their 
geometrical mean times. In fact, the former does not require to distinguish between successful 
and non-successful solutions. Thus, they are much more suitable for plotting, because 
a comparison on geometrical means makes sense only for those data points with the same 
number of successful solutions, which is very hard to follow in a plot. 

12. In case of tests exceeding the timeout, geometrical means are altered by the truncation introduced by the unsuccessful 
solutions. Thus the geometrical mean makes sense only if calculated only on successful results. 

13. If the percentage of successful solutions is greater or equal than Q, then the value Q-th percentile is not influenced 
by the truncation of values introduced by timeouts, otherwise it is equal to the timeout value. 
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Of course, both generators can be used in both ways. (See Heguiabehere and de Rijke (2001) 
for some plots with the random QBF-based method.) Comparing the two approaches above in 
organizing and presenting data is not one of the goals of this paper, so we restrict our analysis to the 
generation methods, independently from how they have been used so far. 

The QBF-based generation method of Massacci (1999) shares with our new CNFn^ generation 
method several features — ^in particular Scalability, Valid vs. not-valid balance. Termination, Re- 
producibility, Parameterization, Data Organization, Difficulty, Modal vs. propositional bal- 
ance. Redundancy and Triviality — for which considerations which are identical or analogous to 
those for our new method hold, once we consider parameters V, D and C instead of parameters N, 
d and L. The following features instead deserve more discussion. 

Control: The parameters V and D allow for controlling monotonically the difficulty of the test set. 
The parameter C allows for controlling the satisfiability rate. However, unlike the CNFn^ 
case, the main parameters of the QBF generator (e.g., D and V) do not have a direct meaning 
wrt. the main characteristics of the resulting modal formulae Uke, e.g., the modal depth and 
the number of propositional variables. 

Representativeness: In general QBF formulae are good representatives for the whole class of 
quantified boolean formulae, as there is a way to convert a generic quantified boolean formula 
into QBF.^^ (The randomly generated QBF formulae used by Massacci (1999) restrict to 
those having a fixed amount of variables per alternation.) Nevertheless, the class of modal- 
encoded QBF formulae restrict to those having candidate Kripke structures with the very 
regular structure imposed by the QBF and/or binary search trees. 

Artificiality: Unhke the CNFn^ case, the main parameters of the QBF generator (e.g., D and V) 
do not have a direct meaning wrt. the main characteristics of the resulting modal formulae. 
Thus, it is hard to choose the parameters for the random QBF generator so that to resemble 
expected typical inputs of the system(s). 

Over-size: One final problem with random modal-encoded QBF formulae is size. Initial versions 
of the translation method produced test sets in the 1GB range, which stressed too much the 
data-storage and retrieval portion of the provers. (For example, running DLP on these for- 
mulae resulted in a 1000s timeout without any significant search.) Although the encoding has 
been significantly improved in this sense, the current versions still produce very large modal 
formulae, mostly to constrain the Kripke structures. 

Similar considerations have been very recently presented by Heguiabehere and de Rijke (2001). 

On the whole, we believe that the QBF generation method is still appeaUng, and that the two 
methods can co-exist in any empirical test session. 



14. Notice that by "QBF" here we denote the class of prenex CNF QBF formulae, given by an alternation of quantification 
variables ending with an existential one followed by a CNF propositional formula. The conversion works by lifting 

quantifiers outside the formula and then converting into k-CNF [k-DNF] the matrix if the innest quantifier is an 3 [a V, 
negating the result and pushing down the negation reciu'sively]. The conversion is truth-preserving [truth-inverting]. 
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7.4 Complexity Issues 

From a purely theoretical viewpoint, it is remarked that modal-encoded QBF formulae can capture 
the problems in s£, while CNFn^ formulae are "stuck at NP" (Massacci, 1999)^^. This statement 
requires some clarification. 

First, test sets are necessarily finite, therefore it makes no sense to attribute to them a complexity 
class. Thus, when speaking of complexity classes for test problems, we do not refer to test sets, but 
rather to the infinite sets of formulae we could generate if we could have unbounded values for (at 
least one of) the generation parameters. In particular, the statement above means that the infinite set 
of QBF formulae with unbounded number of variables per alternation V and bounded alternation 
depth D is complete for (Garey & Johnson, 1979), while the infinite set of CNFn^ formulae 
with bounded depth and unbounded number of propositional variables is in NP (Halpem, 1995). 

Secondly, the alternation depth D and the variable number per alternation V are not the "QBF- 
analogous" of K^^n^'s modal depth and variable number respectively, as both the latter values for 
the resulting modal formulae grow d& 0{D -V)}^ \n fact, QBF formulae with bounded alternation 
depth D and unbounded number of variables per alternation V give rise to modal formulae of both 
unbounded depth and unbounded number of variables. 

Finally, the vs. NP" issue of Massacci (1999) is not a matter of generators, but rather a 
matter of how such generators are used, and of how results are organized and presented. In fact, 
so far random CNFn^ testbeds have always been organized by fixing all the parameters except L 
(modal depth d included!) and making L vary. This choice, whose goal is to produce data plots 
covering the satisfiability transition area, is what causes the testbed formulae to be "stuck at NP". 
To avoid this fact, one may want to make d vary and to fix all the other parameters, as '^^(m) 
satisfiability with unbounded depth and bounded number of propositional variables is PSPACE- 
complete (Halpem, 1995). 

7.5 Asymptotic Behavior 

Achlioptas et al. (1997) presented a study on the asymptotic behavior of random CSP problems. 
They showed that, for most well-known random generation models (which did not reveal flaws in 
empirical tests) the probabihty that problems are trivially unsatisfiable tends to 1 with N \ — > oo, 
N being the number of variables. Gent et al. (2001) lately explained this discrepancy between 
theoretical and empirical results by showing that the above phenomenon happens with significant 
probability only for values of N which are out of the reach of current CSP solvers. 

The problem is due to the possible presence of (implicit) unary constraints causing some vari- 
able's value to be inadmissible. If this occurs with some non-zero probability, then with non-zero 
probability some variable may have all its values inadmissible. This causes a "local" inconsistency 
of the whole problem, which is very easily revealed by the solver. When N \ — > oo, the probabihty 
of not having such situation tends to zero. Analogous problems have been revealed with random 
SAT problems generated with the constant probabihty generation model, as unary clauses are gen- 

15. More precisely, Massacci (1999) referred to the 3CNFn^ formulae of Giunchiglia et al. (2000). The statement holds 
also for all the CNFn^ formulae. 

16. As we have already noticed (Horrocks et al., 2000), a better "QBF-analogous" of the modal depth is the total number 
of universally quantified variables U {U = V ■ [0/2] in our case). In fact, like modal K(m) vvith bounded depth, 
the class of QBF formulae with botmded U is only complete in NP, as it is possible to "guess" a tree-like witness 
with 0(t/- 2^) nodes. 
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erated with non-zero probability (Mitchell et al., 1992), and with random QBF problems, as implicit 
unit clauses, — i.e., clauses containing only one existential variable — are generated with non-zero 
probabihty (Gent & Walsh, 1999). For the random k-SAT model, k > 2, such problem does not 
occur (Friedgut, 1998; Achlioptas et al., 1997). 

Our generation model is far more complicated to analyze than the models above. First, CNFn^ 
formulas have a much more complicated structure than random SAT, CSP and QBF formulas, in- 
volving a much wider number of parameters. Second, unlike with the models discussed above, the 
(constraints described by) CNFn^ clauses are not picked in a uniform way, as the probability of 
generating a given CNFn^ atom Uj.(j) varies strongly with its depth and shape, and it is typically 
much smaller than that of generating a propositional atom j4j.'^ Thus, developing a formal proba- 
bilistic analysis for the asymptotic behavior of our model is out of the reach (and of the scope) of 
this paper. However, we provide here some heuristic considerations. 

The simplest case is when we do not allow the generation of unary clauses at top level, that is, 
when C = [[ ,...],...], so that we do not have explicit unary constraints. We may still have 
implicit unary constraints like, e.g., [Ai V □rc/') A (Aj V -^U^cf)) or V ^r'f) A {^ii^ V -iD^i/)). 
Anyway, a simple heuristic consideration suggests that, given the big numbers of distinct CNFn^ 
modal atoms which may potentially be generated, such situations are more unlikely than that of 
having implicit unit constraints like [Ai \J Aj) /\ [Ai V ^Aj) in the standard 2-SAT model, which is 
free from the asymptotic local inconsistency problem. 

A more critical case is when we allow for the generation of unary clauses at top level, that 
is, when C= [[x,...],...],x>0. In this case we can generate unary clauses, and thus 
local inconsistencies, with non-zero probability. Thus, a simple way to avoid this problem is to 
restrict the values of C so that not to allow unary top-level clauses, that is, to always set C = 
[[ ,...],...] . Notice, however, that this hardly becomes a problem in practice if we re- 
spect the condition described in Sections 4.1 and 5.1 of avoiding purely propositional top-level 
clauses (that is, always set p = [[..., ],...] ). In fact, given the big numbers of distinct 
CNFn^ modal atoms which may potentially be generated, the probability of having two contradic- 
tory modal unit clauses U^(f),^U^(f) within the same formula becomes quickly negligible even with 
small depths. 

Notice that here we have intentionally not considered "modal" implicit unary constraints like, 

e.g., {Ai y (f)) A {Ai y ip), (f) and il) being mutually inconsistent modal literals (e.g., cj) = □^'/'i, 
ip = -nni^{(pi y (p2))- In fact, detecting such inconsistencies requires investigating recursively the 
modal successors, and therefore it is not "trivial". 

8. Conclusions and Future Work 

As shown by the test sets above our new method, in its basic form, allows us to generate a wider 
variety of problems covering more of the input space. We can better-tune the difficulty of problems 
for various parameter values, including the first reasonable test sets for maximum modal depths 
of 2 and 3. We can produce interesting scaling dimensions, varying more than just the number of 
propositional variables N. For example, we can now vary the propositional probability p or the 
size of clauses C to vary the difficulty of interesting problems. As neither p nor C are restricted to 
integral values, we have extremely fine control over the difficulty of test sets. Thus we can create 

17. Again, we recall that the number of possible distinct CNFn^ atoms increases hyper-exponentially with the modal 
depth d (Horrocks et al., 2000). 
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more interesting test sets where the satisfiable/unsatisfiable transition is explorable with current 

decision procedures. 

We have drastically reduced the influence of trivial unsatisfiabiUty, wliich flawed the previous 
CNFn^methodologies whenp > 0. We retain the desirable features of the previous CNFn^methodo- 
logies. Our test sets are easy to reproduce and are not too large. 

In our full methodology we have introduced the possibility of shaping the distribution of both 
the size and the propositional/modal rate of the clauses. This can be done at each level of modal 
depth. This allows for generating a much wider variety of problems, covering in principle the whole 
input space. For instance, we have produced a full test set with c? = 5 and TV = 5 (Figure 15). 

We have not moved closer to application data, as there are no significant direct applications 
of modal decision procedures and thus no guidance for the sorts of inputs that would be close to 
apphcation inputs. In any case, we beheve we have moved closer than ever to the possibility of 
approximating given classes of input formulae. 

There is still much work to be done using our generation methodology. We can produce more 
test sets and try these test sets out on various modal decision procedures. We may also want to 
uncover parameter settings where the full generahty of our generation method is needed to produce 
reasonable test sets. 
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Appendix A: Fully-detailed Proof of Theorem 6.1 

Theorem 6.1 Let md-CNFu^ be a purely random generator as in Figure 13. Let ip be a sorted 

CNFu^ formula of depth d and with L top-level clauses built on all the propositional atoms in 
{Ai, ...A^t } and on all the modal boxes in {□!, ...□„,,}, which has no repeated clause at top level 
and no repeated atoms inside any clause at any level. Let C and p be built from so that to verify 
points (a) and {b) of Section 6. Let C andp' be obtained from C andp respectively by substituting 
some zero-values with some non-zero values. Then we have: 

(i) rnd-CNFn^(d,m,L,N,p,C) returns ip with some non-zero probability V; 

(ii) rrui_CNFn^(d,m,L,N,p' ,C' ) returns with some non-zero probability V' < V. 

Proof The proof works by induction on the structure of (p. First, we prove that: 

1. every propositional atom occurring in at some depth i is returned with the same non-zero 
probabihty Vi by both md-atom(0,m,N,p,C) and md-atom(0,m,N,p',C'); 

2. every modal atom n^Cl occurring in (p at some depth i is returned with some non-zero proba- 
bility 7^2 by md_atom( d-i, m,N,p, C), and is returned with some non-zero probability V'2 < "^2 
by rnd-atom(d-i,m,N,p',C'); 
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3. every clause CI occurring in (p at some depth i is returned with some non-zero probabihty 
Vs by rnd_clause(d-i,m,N,p,C), and is returned with some non-zero probability V's < V3 by 

rnd-clause( d-i,m,N,p ',C'). 

From point 3. we have that every top level clause Cl^ is returned by md_clause(d,m,N,p,C) and 
md_clause(d,m,N,p',C') with some probabilities Vk and V'k respectively, being V'k < Vk- As (p 
has no repeated clause, recalUng a property of probabilities we have: 

Vv 

{V2 + V1V2 + VIV2 + ...)■ 
V = {V3 + {Vi+V2)V3 + {Vi+V2fV3 + ...)■ (7) 

{Vl + {Vi + ... + Vl-i)Vl + {Vi + ... + Vl-i?Vl + ■■■) 

L / 00 k-1 \ 

= UiT.iT.'Psy-'Pk] (8) 



k^l \i=0 s=l 
k=l ^ 2^s=l 



(9) 



Notice that (8) is strictly monotonic in all its components. Thus, V' < V. 
Now we need to prove points 1, 2 and 3. 

1. Let Ak be a propositional atom in {^1, ^jv} occurring in tp at depth i, for some i < d. 
Then both md_atom(0,m,N,p,C) and mdMtom(0,m,N,p',C') invoke md^ropositionaLatom(N), 
which returns Ak with probability Vi = 1/N. 

2. Let n^jCl be a boxed clause occurring in ip at depth i, for some i < d and v < m. Then the 
clause CI occurs in tp at depth i + I. (Notice that i < d instead ofi < d: O^Cl cannot occur 
in (p at depth d, because d is the maximum depth of (p.) 

(i) By inductive hypothesis, it follows from point 3. that CI is returned with some non-zero 
probability Vs by md-clause(d-i-l,m,N,p,C). As i < d, rndMtom(d-i,m,N,p,C) invokes 
randJbox(m) ■ rand-clause(d-i-l,m,N,p,C), which returns O^Cl with the non-zero prob- 
ability V2 = l/m-V3. 

(ii) By inductive hypothesis, it follows from point 3. that CI is returned with some non- 
zero probabihty V's < V3 by rnd-clause(d-i-l,m,N,p' ,C'). rrui-atom(d-i,m,N,p',C') in- 
vokes rand_box(m) ■ rand-clause(d-i-l,m,N,p',C'), which returns O^Cl with the non- 
zero probability V'2 = 1/m ■ V'3. Thus, V'2 < "^2- 

3. Let CI be a clause with length j and r < j propositional literals, which occurs in ip at depth 
i, for some i < d. As (pis sorted, CI is represented as Sort{ipi V ... V V (?!>i V ... V 
where ^1, denote propositional literals and 0i, 4>j-r denote modal Uterals. 

(i) By inductive hypothesis, it follows from point 1. that each propositional literal ijjk is 
returned with some non-zero probability 0.5 • Vi^k by rndsignO ■ mdMtom(0,m,N,p,C), 
and it follows from point 2. that each modal literals cfei is returned with the non-zero 
probability 0.5 • ; by rndsign() ■ md-atom(d-i,m,N,p,C). 
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By construction of C, the j-th element of the i-th subhst in C is non-zero; thus, j is 
returned with some non-zero probability Vj by rndJength(d-i,C). 
By construction of p, the r + 1-the element of the j-th sub-sublist of the i-th sublist in p is 
non-zero; thus, r is returned with some non-zero probability Vj-ij by md-propnum(d,p,j).^^ 
Similarly to (9), ip has no repeated atoms inside any clause, so that CI is returned by 
md-clause(d-i,m,N,p,C) with the non-zero probability 

V, = V, . P.I, ■ (0.5)^- . n ■ n . • (10) 

As with (9), the expression on the right in (10) is strictly monotonic in all its terms Vj, 
^rli' 1^2,1 s within the domain of definition, 

(ii) By inductive hypothesis, it follows from point 1. that each propositional literal ijjk 
is returned with some non-zero probability 0.5 • V'l^k < 0-5 ■ Vi^k by mdsign() ■ 
md-atom(0,m,N,p',C'), and it follows from point 2. that each modal literals (pi is re- 
turned with some non-zero probabihty 0.5 ■ V'2,1 < 0.5 ■ V2,i by mdsignO ■ md-atom(d- 
i,m,N,p',C'). 

By construction of C and C", the j-th element of the i-th sublist in C' is non-zero; thus, 
j is returned with some non-zero probabihty V' j by mdJength(d-i,C'). By construction 
of C" from C, P'j < Vj. 

By construction of p and p', the r + 1-the element of the j-th sub-sublist of the i-th 
subhst in p is non-zero; thus, r is returned with some non-zero probability T"r\j by 
rnd-propnum(d,p,j). By construction of p' fromp, V r\j < Vr\j- 

As has no repeated atoms inside any clause, it follows that CI is returned by rnd-clause(d- 
i,m,N,p',C') with the non-zero probability 

= . ■ (0.5)^- ■ n . ^Ih', ■ n r^%^- (11) 

k=l 1 ~ 2^s=l ^ hs 1=1 i - l^t=l I 2,« 

Because of the strict monotonicity of (10) and (11), we have that "P's < "Pa. 

Q.E.D. 
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